Doing Business with ATI

Obtaining a Dun & Bradstreet D-U-N-S® Number

In order to register in the System of Award Management (SAM), an organization will first need to receive a Dun and Bradstreet number (D-U-N-S®). Your business Tax ID number, bank account, bank routing number and business address are necessary to apply for this number.

System for Award Management (SAM)

All companies desiring to do business with the Federal Government are required to have an active record on the Government’s System for Award Management (SAM).

SAM is the Official U.S. Government system that consolidated the capabilities of CCR/FedReg, ORCA and EPLS. There is NO fee to register.

ATI subcontractors and suppliers shall complete the Representations and Certifications in SAM.gov.

See How to Register in SAM for further information.

Obtaining a DD Form 2345 - Militarily Critical Technical Data Agreement

A DD Form 2345 is required by U.S. contractors that wish to obtain access to unclassified technical data disclosing militarily critical technology with military or space application that is under the control of, or in the possession of the U.S. Department of Defense (DoD).

Many of ATI-managed consortia require prospective members to obtain a DD Form 2345. In order to obtain a DD Form 2345, an organization is required to have a CAGE code. An organization must register in the System for Award Management (SAM) in order to obtain a CAGE code. Lastly, in order to register in SAM, an organization will first need to receive a Dun and Bradstreet number (D-U-N-S). Your business Tax ID number, bank account, bank routing number and business address are also necessary.

How to obtain a DD Form 2345.

Small Business Requirements

It is the intent of ATI that small businesses are given an equitable opportunity to compete for ATI purchases consistent with the efficient performance of our business. Each division in ATI will comply with the intent of the requirements set forth by FAR 52.219. Should your business meet any of the small business criteria listed, you are encouraged to contact sbadminSum@ati.org to be registered as a vendor with ATI and be considered for future purchases and business needs.For subcontracts that are subject to the Federal Acquisition Regulations, Small Business Classifications include (these are all self-certified classifications, except for the HubZone):

• Small Disadvantaged Business (SDB)
• Woman Owned (WO)
• HubZone – (HubZone Certification Application)
• Veteran Owned (VO)
• Service Disabled Veteran (SDVO)
• Historically Black Colleges and Universities (HBCU)
• Minority Institutions (MI)

For more information, please visit the following useful websites:

• Small Business Administration (SBA)
• North American Industry Classification System (NAICS)

Representations and Certifications (Reps and Certs)

In accordance with FAR Subpart 4.12, ATI is prohibited from awarding a procurement funded under a U.S. Government contract unless the seller certifies it complies with certain U.S. Government policies and laws. In order to facilitate this requirement, your contracts or purchasing representative will verify your organization has active Representations and Certifications at SAM.gov.

Vendor Management

ATI maintains a database of all vendors, suppliers, and subcontractors who are and have done business with us. Please contact your contracts or purchasing representative to register as a new vendor or update previously submitted information as an existing member.

Vendor forms (including a W-9 Form, Electronic Funds Transfer Request Form and Small Business Self-Certification Form) can be provided to you via email for completion.

Invoicing and Prompt Payment

ATI’s standard payment terms are NET 30 days from the date an acceptable invoice is received. However, other payment terms may be negotiated with your contracts representative. Please refer to your subcontract agreement or purchase order for the applicable payment terms.

In order to facilitate prompt payment of invoices submitted to ATI, we ask that you please forward your invoices to afgforms@ati.org.

Please refer to your subcontract agreement or purchase order for guidance on submitting an acceptable invoice.

Payment Inquiries may be directed to your ATI subcontract representative or afgforms@ati.org

Contracting

ATI is committed to providing procurement services of the highest quality to exceed the expectations of all of our business partners. We ensure that ATI agreements reflect the best value for our clients and partners. It is our goal to build long term, mutually favorable relationships with our suppliers, subcontractors, team members and clients based on trust, honesty, and candor.

We welcome your questions and feedback as we strive to achieve our goals.

Please contact us!

Ethics & Compliance

ATI has implemented a Supplier Code of Conduct which outlines our expectations for the high ethical and compliance standards we require from our Suppliers. The Supplier Code of Conduct is reflective of the standards for ATI Associates, Executives, Director, Partners, and Affiliates. ATI expects its suppliers, subcontractors, and vendors to not only comply with the ATI Supplier Code of Conduct but to also have their own Code of Conduct applicable to their organization and business operations. We value our relationship with your organization and thank you for being part of the continued success of ATI. If you should have any questions regarding ATI’s Supplier Code of Conduct, or need further assistance, please contact:

Paige Shannon
Compliance Officer
315 Sigma Drive
Summerville, SC  29486
843-760-3638
paige.shannon@ati.org

ATI Ethics and Compliance Hotline

ATI has implemented an Ethics and Compliance Hotline (in accordance with FAR Part 52.203-13) to serve as a reporting mechanism through which employees, agents, and third party vendors may report suspected instances of improper conduct.

The hotline is available 24/7/365, and all reports may be made anonymously or named at:

• 844-518-1419
• ati.ethicspoint.com

Department of Defense (DoD) Hotline

The mission of the DoD Hotline is to provide a confidential, reliable means to report violations of law, rule or regulation, mismanagement, gross waste of funds, abuse of authority and classified information leaks involving the Department of Defense; as well as the detection and prevention of threats and danger to the public health and safety of the Department and our Nation.

Anyone may file a complaint with the DoD Hotline at 1-800-424-9098 to report fraud, misuse and misrepresentation relating to DoD contract.

A report can also be made through the Fraud Waste and Abuse website.

Additional Ethics and Compliance Resources

For more information on adherence to laws and establishing effective Ethics and Compliance Programs, please visit the following websites.

• Federal Acquisition Regulation 52.203.13
• Evaluating Ethics and Compliance Programs – National Defense Magazine, March 2016
• Society of Corporate Compliance and Ethics (SCCE)
• U.S. Office of Government Ethics

Below is a list of Integrated Compliance Solutions providing online training, hotline services, policy management, reporting and analytics, and more:

• NAVEX Global (Governance, Risk, and Compliance Solution)
• The Network Inc. (A NAVEX Global Company)
• LRN

Cybersecurity - Adhering to New DoD Requirements

In October of 2016, DoD adopted a final rule amending the Defense Federal Acquisition Regulation (DFARS), which requires contractors to report on network penetrations. While the main elements of the DFARS Clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) remained intact, the final rule and DFARS clause 252.204-7012 did include several updates and clarifications. However, please be advised that your company should adhere to the version of the DFARS clause contained in your subcontract agreement. The current version of the DFARS clause is available here.

DoD Guidance on Cyber Security

Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense’s (DoD) efforts to properly secure the Defense Industrial Base (DIB). In the simplest of terms, the DoD announced in mid 2019 that it is creating a cybersecurity assessment model and certification program. On January 31st, 2020, DoD officials released CMMC 1.0.

• The CMMC combines various cybersecurity standards and best practices and maps these controls and processes across several maturity levels that range from basic to advanced cyber hygiene. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
• The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
• The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
• The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

For additional information, please reference the DoD Acquisition website pertaining to CMMC (https://www.acq.osd.mil/cmmc/index.html) and the CMMC Accreditation Body website (https://www.cmmcab.org/).

CMMC Resources:

• https://info.summit7systems.com/blog
• https://www.complyup.com/cmmc/
• https://www.complianceforge.com/cybersecurity-maturity-model-certification-cmmc/
• https://www.exostar.com/cmmc/
• CMMC 1.0 Webinar Slides

Here is the Q&A from the Webinar.

CMMC Webinar hosted by ATI on February 20, 2020:

NIST 800-171 Checklist Framework

The National Institute of Standards and Technology (NIST) guidelines 800-171 Revision 1 (Protecting Controlled Unclassified Information in NonFederal Information Systems and Organizations) were released in June 2015. NIST 800-171 outlines a subset of the NIST 800-53 requirements. Detailed mapping is available in the NIST Special Publication 800-171 Revision 1, Appendix D, Table D-1, page 30. ATI is providing a Checklist Framework (pdf format) that you can use to assist in determining if you are NIST compliant and where you may need to enhance security measures. The NIST Cybersecurity Self-Assessment Handbook is for assessing NIST SP 800-171 Security Requirements in response to DFARS Cybersecurity Requirements.

Compliance Resources

The following is a list of resources to assist you in identifying areas that need improvement in your security requirements checklist. These resources may also provide assistance in becoming NIST 800-171 compliant.

• Cyber Security Evaluation Tool (CSET®)
• CyberAssess
• Small Business, Big Threat
• i2 Compliance Tools
• Praetorian
• Telos
• GovDataHosting
• National Technical Information Service
• Amazon Web Services
• FISMA

Additional Cybersecurity Resources

• DFARS Clause 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting (check the version in your subcontract)
• NIST Cybersecurity Framework
• NIST 800-171 – Protecting Controlled Unclassified Information in NonFederal Information Systems and Organizations
• National Vulnerability Database
• National Cyber-Forensics & Training Alliance (NCFTA)
• Infragard Partnership for Protection
• Cybersecurity Small Business Training Course (30 minutes) – Small Business Administration (SBA)
• Federally-Funded Cybersecurity Resources for Small Businesses – see Appendix II, page 23
• NIST Cybersecurity Self-Assessment Handbook
• Cybersecurity for Small Business

Tips to Improve Cybersecurity

• Train employees in security principles – have standards of protocol and behavior
• Protect hardware, networks and information – update antivirus software
• Create mobile device action plan – use password protection, encrypt data and use security apps on phones that have access to confidential information; establish reporting procedure for lost or stolen phones
• Back up important data and information – back up documents and information to computers and to the cloud or offsite
• Control physical access to computers – lock up laptops when unused; create user accounts for each employee; allow administrative privileges only to trusted IT staff and personnel
• Secure Wi-Fi networks – make sure wireless is encrypted, SSID is hidden and networks have passwords
• Use best practices with payment cards – work with banks and processors to set up anti-fraud services; do not use the same computer to process payments and surf the internet
• Limit employee access and authority – give employees access only to the data systems necessary for their tasks; do not allow installation of software without permission
• Require passwords and authentication – have employees use unique passwords and require them to change these passwords every three months; consider further authentication practices with additional information; check with vendors who handle sensitive information

Information Source: U.S. Small Business Administration.

June 23, 2017 - DoD Industry Information Day

On June 23, 2017, the Chief Information Officer of DoD hosted an Industry Information Day to brief the implementation of the new Cybersecurity rules, and to address industry feedback. Attached, for your convenience, is a copy of the very detailed presentation regarding “Cybersecurity Challenges – Protecting DoD’s Unclassified information”.

• Defense Acquisition University’s (DAU) 3 Part Video Series on “Protecting DoD’s Unclassified Information – Part 1
• Defense Acquisition University’s (DAU) 3 Part Video Series on “Protecting DoD’s Unclassified Information – Part 2
• Defense Acquisition University’s (DAU) 3 Part Video Series on “Protecting DoD’s Unclassified Information – Part 3